Running an image, that requires root-level privileges within container, in OKD #1891
Replies: 3 comments 1 reply
-
OKD runs containers as non-root unless the container explicitely requests to run as user 0 and has permissions to do so. See https://www.redhat.com/en/blog/managing-sccs-in-openshift |
Beta Was this translation helpful? Give feedback.
-
|
thank you for the response. I'm aware that I can run the container as root but since it's not the recommended approach and a security risk, I'm not planning to do that. What I'm looking for is some recommended feature or approach within OKD that would allow me to run such containers without having to run them as root. |
Beta Was this translation helpful? Give feedback.
-
|
I'd recommend creating your own build of the container that meets the expectations of an unprivileged environment like OKD. Many applications will offer ways to override the listening ports. If you look into this possibility with the application you need to run you may find a config file you can override with a ConfigMap or an perhaps an environment variable that you can set to adjust the configuration at run time. Hope this helps. |
Beta Was this translation helpful? Give feedback.
-
|
Hi,
I’ve this problem often and normally you can resolve it with a combination of overwriting aspects of the original image and patching the original deployment.
As an example: I’ve made a NextCloud deployment on base of the original helm installer, an overwriting Dockerfile and kustomize.
You can find the example here:
https://gitlab.pflaeging.net/pflaeging-net-public/nextcloud-okd
Greetings
peter pfläging
***@***.***
📞+43 699 1410 7990 (Tel, Signal, Telegram)
🏠 In den Jochen 49, A-2122 Ulrichskirchen, Austria
🌍 https://www.pflaeging.net/
🌍 https://www.stickiebox.org/
… Am 21.02.2024 um 16:37 schrieb manas-suleman ***@***.***>:
Hi,
OKD newbie here. I'm trying to deploy a container image that starts a web server and listens on ports 80 and 443. Since, OKD runs containers as non-root, and 80 and 443 ports are privileged ports. It fails to listen on those ports. Since I don't own the image, I cannot change the port. My question is, what's the recommended way of making such containers work in OKD? It may be something obvious but I haven't been able to find a solution to this issue yet.
NOTE: I'm not looking to run container as root or using any similar approach that will affect the pod or infrastructure safety.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hi,
OKD newbie here. I'm trying to deploy a container image that starts a web server and listens on ports 80 and 443. Since, OKD runs containers as non-root and 80 and 443 ports are privileged ports, it fails to listen on those ports. Since I don't own the image, I cannot change the port. My question is, what's the recommended way of making such containers work in OKD? It may be something obvious but I haven't been able to find a solution to this issue yet.
NOTE: I'm not looking to run container as root or using any similar approach that will affect the pod or infrastructure safety.
Beta Was this translation helpful? Give feedback.
All reactions